As reliance on electronic health records (EHRs) and connected devices in the healthcare industry expands, network security is becoming increasingly important. Healthcare providers and insurance companies collect, store and transmit large amounts of sensitive patient information, much of which may be at risk due to poor security practices, the emergence of new threats and a lack of education about the potential for breaches.
an average of one breach in the healthcare industry occurred every day in 2016
In 2016, an average of one breach in the healthcare industry occurred every day, collectively affecting over 27 million patient records, putting patients at risk and threatening the ability of medical practices to remain in compliance with privacy laws. Staying ahead of these and other threats facing modern healthcare requires education, diligence and professional support. To learn more about the impact cyber security has in the healthcare space, visit our healthcare solutions page.
Healthcare Challenges: 2018 and Beyond
Proliferation of Telemedicine and Care Clinics
With a growing population and aging baby boomers, the shortage of doctors has resulted in patients waiting an average of 24 days1 for a scheduled appointment. Telemedicine enables healthcare professionals to evaluate, diagnose, and treat patients regardless of the distance. Its benefits include flexible office hours, fewer patient waiting rooms, and more consistent follow-ups thanks to the convenience of video calling. However, despite these advantages, telemedicine holds significant cyber security risks and privacy concerns.
The nature of telemedicine makes it very easy for hackers to obtain treatment with a stolen identity because patients don’t need to present photo IDs or insurance cards like they would in person. Telemedicine also produces an entire network of new data that needs to be accounted for. From the transmission, via device provider, to storage in their Electronic Medical Record, the data should be secured and compliant as the information is highly sensitive and unique.
Maintaining Compliance and Accreditation
HIPAA (Health Insurance Portability and Accountability Act) set the standard for protecting patient data in the U.S. This legislation outlines safeguards that organizations must implement to protect the confidentiality, integrity and availability of online Protected Health Information (PHI). In 2013, the scope of HIPAA was expanded to encompass the increase use of outsourcing and cloud providers in healthcare. Failure to comply ranges in fines from hundreds to upwards of millions of dollars, to say nothing of the costly loss of credibility and potential revocation of medical licenses.
An Evolving Threat Landscape
Because the stakes are so high, the healthcare industry has emerged as a popular target for ransomware extortion. If data is stolen or withheld, or if systems are compromised, hospitals are more likely to pay criminals to reinstate critical systems and restore services to prevent serious consequences.
Ransomware incidents such as WannaCry infected 200,000 computers creating crisis situations in hospitals and clinics in 150 countries. National Health Service (NHS) facilities in England experienced computer and phone system disruption, system failures leading to surgery delays, cancelled appointments in addition to confusion by staff whose computers display a ransom message demanding Bitcoin. Not only can these incidents have horrible short-term impacts to patient care, they also affect a healthcare facility’s ability to compete over the long term if their reputation is tarnished.
Securing the Internet of Medical Things (IoMT)
Internet-connected medical devices have also become a regular fixture in healthcare, and 3.7 million devices now make up what is known as the Internet of Medical Things (IoMT). The implementation of EHRs was one of the most significant changes in the recent history of healthcare. For many providers, the switch from paper to electronic records occurred more quickly than the adoption of stronger security measures, leaving patient information vulnerable to potential attacks.
Additionally, embedded devices – such as defibrillators, infusion pumps, pacemakers, and many more – are now powered by Wi-Fi, remote monitoring, and near-field communication technologies. In fact, most hospitals average about 10-15 connected devices per bed. This allows healthcare professionals to modify and fine tune implanted devices without intrusive procedures, but such connectivity and interdependency among patients, professionals, and staff is vulnerable to hackers who take advantage of weak and unguarded security. Every device represents another potential vulnerability in the system, but only 55 percent of healthcare providers report having security controls in place for IoMT technology. The exposure to risks related to IoMT are already so large and only growing.
How Can Healthcare Providers Prevent Over-Exposure?
Raising awareness of vulnerabilities and threats is essential to prevent over-exposure of information in the healthcare sector. In many practices, the idea of security is out of sight and out of mind until a breach occurs. Only 34 percent of providers and insurance companies conduct comprehensive cyber security audits, but such audits are exactly the type of wakeup call the healthcare industry needs to realize the reality and extent of modern threats to patient information.
Security audits reveal potential vulnerabilities within electronic systems and provide a framework for developing protective strategies. Knowing where hackers may be able to gain access and what data may be compromised allows providers to focus on key areas in need of stronger security. Since hospitals, urgent care clinics and pharmacies are affected by breaches most often, it’s especially important for these facilities to develop comprehensive security plans.
A clear picture of what devices are being used, what information such devices are collecting and how each one accesses the network helps healthcare providers visualize areas of potential exposure and address each one appropriately. Managing and tracking connected devices, controlling how patients access their own records and protecting information shared in digital environments must be top priority in breach prevention.
Why Network Security is Critical for Healthcare
Adopting new technology has several benefits for healthcare instructions, including:
- Saving money
- Improving efficiency
- Reducing errors
- Increasing quality of care
Failing to adopt adequate security undermines all these benefits by giving hackers the openings they need to access health information. Patient data is extremely valuable to hackers. Stolen information can be used to commit identity theft and Medicare fraud or obtain unauthorized prescriptions. Regardless of the reasons behind a breach, being hacked can cost a healthcare facility or insurance provider millions of dollars. Small practices may be put out of business if the financial backlash is big enough.
Compliance is another major concern requiring strong cyber security. The HIPAA Security Rule requires healthcare providers to secure information when records are created and ensure ongoing security during the use, receipt and maintenance of data. The HIPAA Privacy Rule adds standards to limit what information can be used, how it may be used and who may obtain access. Breaches violate both rules by allowing unauthorized parties to view, access and transmit sensitive patient information.
Prioritizing security allows healthcare providers to take full advantage of the power of technology to improve and streamline the services provided to patients. Security measures must be scaled to address the amount and nature of data being stored, transferred and accessed so that the proper level of protection is always in place.
Healthcare Cyber Security Tips
Investing in security is one of the most important things any healthcare provider or insurance company can do to help patients. Lacking strong security exposes health information to hackers and does a disservice to the patients putting their trust in the facilities where they receive care.
To keep patient information safe, the healthcare industry must focus on:
- Minimizing vulnerabilities with regular hardware and software updates
- Implementing multi-level security on all networks
- Building a robust solution incorporating antivirus, anti-malware and anti-spyware tools
- Creating and maintaining strong passwords
- Enforcing policies regarding the use of third-party devices and removable media
- Setting up and running consistent offsite backups
- Developing disaster plans
- Educating staff members at all levels regarding the importance of security
- Maintaining a hierarchy of information access
Detailed knowledge of what information is being handled, how data is captured and stored, common uses of patient information and where and how records are being transferred is essential when implementing a security policy. Once policies are in place, routine monitoring must be performed to ensure no users within the system or malicious third parties outside the system are allowed to mishandle confidential patient information.
How WatchGuard Network Security Can Help
Because patient data is so complex, and information is constantly in motion, healthcare providers can benefit from using a professional platform to manage security. WatchGuard Network Security is designed for HIPAA compliance and offers a wide range of tools to protect networks from common vulnerabilities. By staying on top of the latest security threats, WatchGuard can provide consistent coverage with up-to-date protection for all its customers.
WatchGuard’s Total Security Suite can be set up physically, virtually or in the cloud. Upon implementation, this solution provides intrusion protection, blocks access to malicious websites, fights against spam, runs antivirus software and works in the background to detect possible threats. Protection against data loss provides peace of mind in the event of a disaster.
Other tools, such as data encryption and Wi-Fi security, strengthen the protection WatchGuard offers to the healthcare industry. Monitoring tools allow providers to track the use of information and generate reports visualizing the effectiveness of security measures. Managed security services provide support directly from WatchGuard so that healthcare workers can concentrate on patients rather than worrying about data loss.
Help from companies like WatchGuard makes it possible for healthcare providers and insurance companies to take on the growing problem of cybersecurity breaches and serve patients with confidence. Professional security coverage is a beneficial addition to a comprehensive cyber security plan, providing ongoing monitoring and routine reporting to help healthcare institutions stay on top of the latest threats.
Additional layers of security lower the risk of breaches to save providers money and increase the efficiency of patient care. Thanks to new advances in security coverage, it’s possible for the healthcare industry to move forward, embrace new technologies and provide the best service to all patients.
1. Merritt Hawkins, “2017 Survey of Physician Appointment Wait Times”